- Widespread confusion in the healthcare industry continues to persist about OCR risk analysis requirements under the HIPAA Security Rule, according to legal experts David Gacioch and Edward Zacharias of McDermott Will & Emery.
Failure to perform an adequate risk analysis continues to be one of the most commonly alleged HIPAA violations, appearing in half of the settlements OCR has announced in the last 12 months and in nearly all the $1 million-plus settlements reached during that time period, they noted.
The HIPAA Security Rule defines a risk analysis as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
In an interview with HealthITSecurity.com, Zacharias said that the “guidance from OCR and from other governmental organizations hasn’t always been clear. Some have used the word ‘risk assessment’ and some have used the term ‘risk analysis.’”
“I don’t think there has been enough education around what constitutes a compliant risk analysis from the government’s perspective. Some of the guidance has been confusing,” Zacharias said.
Gacioch noted that cost could also be a factor in the failure of healthcare organizations to meet the HIPAA risk analysis requirements in OCR’s view.
“Doing what OCR deems to be a compliant risk analysis can be a pretty expensive undertaking,” he told HealthITSecurity.com. OCR’s formal estimate of the time it should take to complete HIPAA risk analysis is “not realistic” to meet the office’s real standard for compliant risk analyses, he said.
In its April Cyber Security Newsletter, OCR explained that a gap analysis can be used to identify problems with electronic protected health information (ePHI) security, but it is not a substitute for a HIPAA Security Rule risk analysis.
Commenting on the distinction, Gacioch observed that “risk analysis is focused on how your IT infrastructure works and how it protects the ePHI that is created, transmitted, and received in it” whereas “gap analysis is focused on how you comply with HIPAA or some other standard of conduct.”
“The risk analysis is a specific administrative safeguard requirement under the HIPAA Security Rule and that is to assess the potential threats and vulnerabilities to all the ePHI in your system,” Zacharias added.
Another source of confusion is the use of the terms risk analysis and risk assessment, which are often used interchangeably but mean different things, the lawyers observed.
In OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule, the office advises organizations to use NIST publication 800-30, which is entitled Guide for Conducting Risk Assessments, to conduct a HIPAA risk analysis.
“So there is confusion on the terminology, which is tough for a lot of organizations,” Zacharias commented.
In addition, a risk assessment is required under the HIPAA Breach Notification Rule to determine whether unauthorized use or disclosure of PHI creates more than a low probability of compromise, requiring reporting to OCR, they explained in a white paper.
That risk assessment is very different from the risk analysis required under the HIPAA Security Rule.
“There are any number of places where you could use the term risk assessment under HIPAA, not to mention the broader world of privacy and cybersecurity, where it means something different than the specific administrative safeguard [risk analysis] that is the foundation of your HIPAA Security Rule program,” Gacioch stressed.
9 Elements of a HIPAA Risk Analysis
In its guidance, OCR lays out nine elements that a risk analysis must include.
1. Scope of analysis
Account for potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits in any form and/or location.
“Many organizations will set out to do this the right conceptual way, but often end up limiting scope inadvertently to just their electronic medical records system or just their patient billing system. But there are many other places to examine for ePHI, such as email, spreadsheets, Word documents, and PowerPoints, among others,” observed Gacioch.
2. Data collection
Identify where the ePHI is stored, received, and maintained by reviewing past and/or existing projects, performing interviews, reviewing documentation, and using other data gathering techniques.
3. Identify and document potential threats and vulnerabilities
Identify and document reasonably anticipated threats to ePHI and vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of ePHI.
4. Assess current security measures
Assess and document the security measures an organization uses to safeguard ePHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly.
5. Determine the likelihood of threat occurrence
Consider the probability of potential risks to ePHI and document all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability, and integrity of ePHI of an organization.
“Five is really a question of likelihood, after the threats have been identified. It’s a matter of looking at each identified threat and asking: How likely is it that that threat would come to pass, and then six looks at what is the impact that could have on the confidentiality, availability, and integrity of ePHI?” said Zacharias.
6. Determine the potential impact of threat occurrence
Assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability and document all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability, and integrity of ePHI within an organization.
7. Determine the level of risk
Assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. Document assigned risk levels and a list of corrective actions to be performed to mitigate each risk level.
8. Finalize documentation
Requires the risk analysis to be documented but does not require a specific format. The risk analysis documentation is a direct input to the risk management process.
9. Periodic review and updates to the risk analysis
Conduct continuous risk analysis to identify when updates are needed. The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities.
“Risk analyses should be reviewed and updated periodically, including in response to significant changes in the system and doing targeted risk analyses along the way when new applications, tools, etc. are implemented that weren’t part of your last enterprise-wide comprehensive risk analysis,” said Zacharias.
Financial Implications of Low-hanging Fruit
The lawyers warned about some of the penalties that organizations could face if they fail to satisfy OCR in terms of their risk analysis. “Risk analysis, because of the confusion around what it means, is sort of low-hanging fruit if OCR wants to find a target,” Zacharias noted.
Gacioch agreed. “This is a favorite target for OCR because it is so widely misunderstood and because it’s a foundational element that they think much of your Security Rule compliance drives off of.”
He noted that the penalties could range from $100 per day at the low end, for innocent violations, up to $50,000 or more per day at the high end, for “willful” violations.
“The penalties were capped on a calendar year basis at $1.5 million per violation but depending on the culpability level that OCR assesses in these failures to have a compliant risk analysis in place, you can readily hit that $1.5 million annual cap without too much trouble. So, the theoretical limit for a failure to have a compliant risk analysis would be $1.5 million times six years [statute of limitations], so $9 million per entity,” Gacioch related.
Zacharias cautioned that there have only been three formal civil monetary penalty enforcements and 52 informal settlements under the HIPAA Security Rule risk analysis requirement. While the penalties for violation could be stiff, most of the time OCR prefers to work with the organizations to help them come into compliance, he said.
Zacharias and Gacioch cautioned that OCR’s calculus appears to be shifting toward more enforcement, based on its public statements and enforcement activity trends over time.